4 replies

getSession intermittently fails cookie signature verification, deletes cookies

We've been seeing erratic unexpected log-outs in our app, and have traced it down to the session cookie being deleted because it has the wrong signature here:

https://github.com/better-auth/better-auth/blob/v1.2.5/packages/better-auth/src/api/routes/session.ts#L118

I have confirmed it is a signature mismatch by patching debug logs into

getSession()

getSession()

— they show

sessionDataPayload.signature

sessionDataPayload.signature

doesn't match a signature created with

createHMAC(...).sign()

createHMAC(...).sign()

using the same contents.

We're using the phoneNumber plugin, and are encountering the issue most reliably (about 2% of runs) immediately after

authClient.phoneNumber.verify()

authClient.phoneNumber.verify()

succeeds, but we're also occasionally seeing the issue at other times unrelated to the login flow.

Perhaps of note,

sessionDataPayload.expiresAt

sessionDataPayload.expiresAt

is almost exactly cookieCache.maxAge in the future (which makes sense immediately after a successful phoneNumber verification). Is it possible that, as a client's request is heading out, a response from a previous request (e.g phoneNumber.verify) is updating the cookie's expiry but doesn't have time for the signed contents, or... something like that? What else could be causing this? And how can I guard against it? I'm at a bit of a loss trying to figure out what to try doing next, so any suggestions would be very appreciated